Kernel Configuration

TomEastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“GNU Free Documentation
License”.

Warning

This article is
unmaintained.

Network Options Configuration

Here's a screen shot of my Network Options Configuration:

While not all of the options that I've selected are required, they
should be sufficient for most applications. Here's an excerpt from the
corresponding .config file (Note: If you are running a kernel older than
2.4.17, be sure to select CONFIG_NETLINK and CONFIG_RTNETLINK):

#
# Networking options
#
CONFIG_PACKET=y
# CONFIG_PACKET_MMAP is not set
# CONFIG_NETLINK_DEV is not set
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_ROUTE_LARGE_TABLES is not set
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=y
CONFIG_NET_IPGRE=y
# CONFIG_NET_IPGRE_BROADCAST is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
CONFIG_INET_ECN=y
CONFIG_SYN_COOKIES=y

Netfilter Configuration

Here's a screen shot of my Netfilter configuration:

Note that I have built everything I need as modules. You can also
build everything into your kernel but if you want to be able to deal with
FTP running on a non-standard port then you must modularize FTP Protocol support.

Kernel 2.6.20 and Later Netfilter Options

Beginning with kernel 2.6.20, the Netfilter kernel configuration was
completely changed. It is split into "Core Netfilter Configuration" and
"IP Netfilter Configuration". The first graphic shows the link to the
Netfilter configuration from the "Networking Options" menu:

The next graphic show the Core Configuration settings - these are
the standard Ubuntu setting with the exception of CONNMARK Target support
(Ubuntu inexplicably includes connmark match support but not CONNTRACK
target support).

The next graphic shows the IP
Netfilter Configuration -- these are the standard Ubuntu settings.

Minimal Configuration using Kernel 2.6.20 and later

Massimo Burcheri has contributed this minimal configuration which is
suitable for securing a laptop or desktop. It is strictly a "no-frills"
configuration and represents the minimum that will work with Shorewall
when using only the very basic Shorewall features described in the one-interface quickstart guide.